What's wrong with this SELECt Query?

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim SQLData As New System.Data.SqlClient.SqlConnection("Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True;User Instance=True")
        Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT COUNT(*) FROM Table1 WHERE Name =" + TextBox1.Text + " And Last = '" + TextBox2.Text + "'", SQLData)
        SQLData.Open()
        If cmdSelect.ExecuteScalar > 0 Then
            Label1.Text = "Record Found ! " & TextBox1.Text & " " & TextBox2.Text
            Return
        End If

        Label1.Text = "Record Not Found ! "
        SQLData.Close()
    End Sub

I write this code to find whether the record ent开发者_StackOverflow中文版ered in textbox1 and textbox2 exists or not ..if record exist ..then in label1 the text would be RECORD FOUND else NO RECORD FOUND

ERROR :

**when i enter in textbox1 and textbox2 then on button click event it shows the error : Invalid column name ,,**

---

Please use SqlCommand.Parameters collection. Please!! For the sake of better programming.

Dim cmdSelect As New System.Data.SqlClient.SqlCommand(
    "SELECT COUNT(*) FROM Table1 WHERE Name = @Name And Last = @Last", SQLData)

cmdSelect.Parameters.AddWithValue("@Name",TextBox1.Text)
cmdSelect.Parameters.AddWithValue("@Last",TextBox2.Text)

---

TextBox1.Text should be passed inside single quotes (').

Beside that, it seems to be another Little Bobby Tables case.

---

You need to add ' around the Textbox1.text value

e.g

'" + TextBox1.Text + "'

---

You should really not doing it like this since this is open for sql injection. Except from that I think you are missing some ' in the query around TextBox1.Text.